
Final Minutes of     DNSEXT @ IETF-68
Date: Wednesday March 21'th
Time: 13:00 - 14:30
Location: Roma
Chairs: Olafur Gudmundsson
 	Olaf Kolkman
Minute taker: Antoin Verschuren
Jabber Scribe: Andrew Sullivan
Jabber Log: http://www3.ietf.org/meetings/ietf-logs/dnsext/2007-03-21.html


The minutes of IETF-67 meeting where approved.

Note: This set of minutes will not repeat what is in presentations,
      unless it is related to milestones or working group actions.
      Links to presentations are provided.

Document status:
    RFCs Published since last IETF-67:
	  RFC4795 Link-Local Multicast Name Resolution (LLMNR)

    Documents advanced:
	  NSID			Standards track IANA state
	  DNSSEC-experiments    Experimental    Editor Discuss state
	  OPT-In		Normative ref   Editor state
	  Roll-over requirements	Informational	AD Go-ahead state
	  Trust-update timers	Informational	AD Go-ahead state
	  2929bis		BCP		AD evaluation
	  NSEC3			Standards track	AD evaluation
	
    Last call completed:
	  DSA Keying		   	Standards track	AD queue
	  Diffie-Helman Keying     	Standards track	AD queue
	  DNSSEC Transition Mechanisms 	Informational	waiting for editor

    Other:
	  Use of RSA/SHA-256 DNSKEY and RRSIG Resource Records in DNSSEC    
	      ---- Killed
	  2 Zombies. Promise from Olaf for next meeting.

    WG documents:
	  DNAME
	  ECC-KEY
	  DNSSECbis updates
	  Anti spoofing

    Individual:
	  DNSSEC SigOnly: No working group consensus to adapt as WG document.


Agenda bashing:

No new agenda items.



DNAMEbis presentation. (Scott Rose)
	http://www3.ietf.org/proceedings/07mar/slides/dnsext-1.ppt
	http://tools.ietf.org/wg/dnsext/draft-ietf-dnsext-rfc2672bis-dname/
		
	The document is chartered by the working group to update
	RFC2672 and address any issues that people have with the
	original specification based on implementation or operational
	experience, as well as better understanding of DNS and
	aliasing in general.
	The editors have started an issues tracker and are looking for
	feedback on the issues. (see presentations for list of
	issues).
	
	
Discussion.

Olafur:		On NSEC3 under DNAME. Asks for support. 
		Is the DO bit sufficient ?

Matt Larson:	We have lots of bits
	
Mark Andrews:	lots of legacy nameservers don't know about DNSSEC, 
     		but do know DNAME

Rob Austein:	Just go ahead -- can't define error case you can't test for



DNS Hardening presentation. (Stephane Bortzmeyer)
	http://www3.ietf.org/proceedings/07mar/slides/dnsext-0.pdf
	http://tools.ietf.org/wg/dnsext/draft-ietf-dnsext-forgery-resilience/

	Improve integrity of data
	Maybe we should improve data before DNSSEC is implemented
	Description of spoofing
	Make query parameters difficult to guess
	Issue tracker online: no issues submitted yet
	Move to WG last call ?

Discussion.

Peter Koch: Have been ranting against draft, document is weak on terminology.
	It leaves out operational considerations. Doesn't make exceptions.
	For example, could you source queries from the echo or timeofday
	port ?
 
Stephane: On UNIX ports below 1024 are not generally available to resolver.

Peter: 	These things need to be in here. Look at port distributions on 
	larger nameservers. Firewalls need to be considered. 
	Cure is worse than disease.

Roy Arends: 	Do you do something about the birthday paradox? 

Stephane: 	Yes

Olaf: 	Main difference between initial and last version of the document: 
	It's now a WG document.

Otmar Lendl: 	Should the document mention that mapping tables may be 
      	overwhelmed and even so appliances ?

Bill Manning: 	It may be long to deploy, We're talking resolver here 
     to replace, That will take a long time.

Mark Andrews: 	We're not talking changing the protocol here.

Olafur: 	This change is also for the benefit of DNSSEC.

Mark: 		What if implementation specific restrictions occur ?

Olafur: 	Who wants to work on this ? 

Volunteers:	Matt Larson, Roy Arends, Scott Rose, Stephane Bortzmeyer, 
		Peter Koch

DNSSECbis update presentation (Olaf Kolkman)
	http://tools.ietf.org/wg/dnsext/draft-ietf-dnsext-dnssec-bis-updates/

	Slowly maintained document.
	Had issue last week discovered in one implementation regarding
	canonicalization in RDATA with NSEC. RFC 4034 was consulted.
	Was it a bug in the spec or the code ?
	Discussion was held on the mailing-list.

Discussion.

Roy Arends: 	Take the path of least surprise. Update RFC 4034. Remove 
    		NSEC and RRSIG from list for down-casing.

Rob Austein: 	Updating the list, we added NSEC by mistake.

Olaf: 		As one of implementors: updating 4034 is OK.

Olafur: 	Should we remove RRSIG as well?

Roy: 		Perhaps we do.

Mark Andrews: 	We don't take signatures over signatures at the moment.
		So this is an orthogonal question.

Olaf: 		For validation and for creation of signatures, you use the 
		lower-case owner name.
 		Think we should take that to the mailing-list
 		So OK yes, we should take RRSIG also from the list

Olafur: 	Action item: Vote:
		propose to take NSEC out of the list: 
		Clear hums for yes have it. No hums against.
		RRSIG will be discussed on the mailing-list after consultation
		and careful examination of RFC4034.



-2929bis (Olafur Gudmundsson)
	http://www3.ietf.org/proceedings/07mar/slides/dnsext-2.ppt
	http://tools.ietf.org/wg/dnsext/draft-ietf-dnsext-2929bis/

	Process should be run by IANA.
	Some conflict of interests, so need multiple experts.
	Document need to state obvious cases.
	corner case: What if template is rejected due to insufficient information, 		does a new template need submission or not?

Donald Eastlake:I don't get it. If it's rejected it's rejected. 
	Just submit it again with more data. If the problem is that 
	small, than why reject ?

Olafur: Expert: Ed Lewis: received complaint about who he worked with.
	Complaint was Rejected by Olafur.

Olaf: 	Just to be shure, lets have a pool of experts.

Olafur: Comments on process ?

Peter Koch: 	There might be disagreement whether an application could be
		applicable under the draft.

Olafur: New RRtypes have 2 paths. Current template does not distinguish
	between new types that have a name inside and that do not.


Open Mike on future of Working group.

Olaf: 	we have 4 drafts, one to be finished, DNSSECbis a working document.
	Question: how should we continue?
	Except from RFC list to be pursued on Standards track
	Perhaps we can get new work.
	A working group is a place where work needs to be done.
	Most of charter is accomplished.
	Should we go dormant ?
	Should we stop ?

Rob Austein: 	Mixed feelings. If we close we will reopen if we discover 
    		issues. 

Mark Townsley: 	Dormant working groups do exist. PPP is one. There is a chair. 
     		But they don't meet. So it can be done.

Rob Austein: 	As DNSOP co-chair. We will get the questions.

Ed Lewis: 	Question: DNS protocol is done, no new engineering. Demand for
		features. should we do more engineering to do so in DNS or 
		elsewhere?
 		If there is no WG, no one will publicize new drafts.

Joe Abley: 	Reason for DNSEXT is to police on what is going on in other 
    		WG's.

Olafur: 	You can do that as dormant WG.

Joe: 		I like dormant, not stop.

mark Townsley: 	DNS Directorate doesn't have "wack a mole" job yet.
		No problem with dormant. Limited charter.

Olafur: 	What is the hurdle for a dormant WG to wake up ?

Mark: 		You'll have to recharter.

Michael Richardson: We just want a clear signal that DNSSEC is done. Don't 
		    think WG needs to be active for that.

Bill Manning: 	Remember the last time we killed a DNS WG, several new DNS WG 
     		were formed. this is one of them. If it's there to get rid of 
		bad ideas, recharter to DNS shepherding.

Olaf: 		So recharter to DNS Police.

Ed lewis: 	Don't want to keep WG around to promote drafts. Should we ?

Olaf: 		If there's no WG, nobody does the work. Task is to remind 
		people to do work.

Ed: 		Can you ask on the list if there are people that will do that 
		anyway. Do people want that?

Rob: 		I feel more towards dormant. Need to recharter anyway, but 
		dormant is better because it still has a mailing-list. 
		moderation of that may be a good thing.

Steve crocker: 	How would you tell the difference between a moderated and 
      		unmoderated namedroppers list ? (haha, laughter in the room)
		The maintainance of documents and moving them to standard process
		after a WG closes is an issue not only applicable to this WG.

Mike StJohns: 	Expertise comes from this WG. It would be useful to keep 
     		cavalry around.

Harald Alvestrand: Non IETF mailing-lists do exist.

Olaf: 		So conclusion is that I feel some consensus on dormant.
		Proposing to lift some language from PPP charter and write a 
		charter to go to sleep.


Any other business

Olaf : 	First time not out of time, and no other business. Might be a sign ?


Presentation on DNSSEC Deployment (Steve Crocker)
	http://www3.ietf.org/proceedings/07mar/slides/dnsext-3.ppt

	DNSSEC deployment group. www.dnssec-deplyment.org.


End of meeting, look at the mailing-list to see if we meet again......


Meeting ended